lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAHmS9P+822jkDTyQA3OOEmY2mhG1n37qcygrYuNYA_52io8HPw@mail.gmail.com>
Date: Fri, 4 Sep 2015 15:14:11 -0400
From: David Coomber <davidcoomber.infosec@...il.com>
To: fulldisclosure@...lists.org, bugtraq@...urityfocus.com, vuln@...unia.com,
  cert@...t.org
Subject: Webroot SecureAnywhere Mobile Protection - MITM SSL Certificate Vulnerability

Webroot SecureAnywhere Mobile Protection - MITM SSL Certificate Vulnerability
--
http://www.info-sec.ca/advisories/Webroot-SecureAnywhere.html

Overview

"Webroot SecureAnywhere Business – Mobile Protection provides
essential security for iPhones and iPads and includes lost device
protection that allows administrators to remotely locate the device,
make the device scream and lock or wipe the device if it’s misplaced
or stolen. The Webroot mobile device security console provides central
management and inventory controls to IT professionals securing their
mobile workforce."

(https://itunes.apple.com/us/app/mobile-protection/id565693635)

Issue

The Webroot SecureAnywhere Business – Mobile Protection iOS
application (version 1.10.316 and below) does not validate the SSL
certificate it receives when connecting to a secure site.

Impact

An attacker who can perform a man in the middle attack may present a
bogus SSL certificate which the application will accept silently.
Usernames, passwords and sensitive information could be captured by an
attacker without the user's knowledge.

Timeline

August 2, 2015 - Notified Webroot via security@...root.com & secure@...root.com
August 3, 2015 - Webroot responded saying that the 'limitation' would
be addressed in an upcoming version
August 3, 2015 - Asked Webroot for a timeline to provide an updated version
August 31, 2015 - Webroot released version 1.11 which resolves this
vulnerability

Solution

Upgrade to version 1.11 or later

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ